Home / Projects / Vulnerability Management Program
Project August 20, 2025

Vulnerability
Management Program

Tenable / Nessus Microsoft Azure PowerShell Bash
[ report ]

Project Overview

This project simulates the implementation of a comprehensive vulnerability management program, from inception to completion — starting with an organization that lacks any existing vulnerability management policies or practices, and finishing with a formal policy enacted, stakeholder buy-in secured, and a full organization-wide vulnerability remediation cycle completed successfully.

72%
Vulns Reduced
100%
Criticals Fixed
90%
Highs Fixed
68%
Mediums Fixed

Step 1 — Policy Draft

This phase focused on drafting a Vulnerability Management Policy as a starting point for stakeholder engagement. The initial draft outlines scope, responsibilities, and remediation timelines, and may be adjusted based on feedback from relevant departments to ensure practical implementation before final approval by upper management.

Policy v1.1 — Aug 20, 2025

Scope: All IT assets owned or operated by LogN Pacific, including networks, servers, endpoints, and associated applications.

Responsibilities

  • CISO: Oversight of vulnerability management process and policy compliance
  • Department Heads: Compliance within respective departments
  • CIO: Ensuring vulnerability management integrates with overall IT strategy

Remediation Cadence (CVSS-Based) — v1.1

SeverityCVSS RangeWindow
Critical RCE Zero-Day9.0–1048 hours
Critical9.0–1048 hours
High7.0–8.97 days
Medium4.0–6.930 days
Low0.1–3.990 days

Step 2 — Stakeholder Buy-In

A meeting with the server team introduced the draft policy and assessed their capability to meet the proposed remediation timelines. Feedback led to key adjustments before final sign-off.

// Mock Meeting — Policy Review
Manager
Thanks for reviewing the draft policy. Any concerns?
Team Lead
The 48-hour remediation window for all critical vulnerabilities isn't realistic with current staffing.
Manager
Understood. Let's set the window to one week, and reserve the 48-hour requirement for zero-day or high-risk cases.
Team Lead
That works. Could we also have some flexibility during the rollout?
Manager
Yes. Departments will have a six-month adjustment period before full enforcement.
Team Lead
Fair enough. We appreciate being included in the process.

Step 3 — Policy Finalization

After gathering feedback, the policy was revised with updated remediation timelines. Final approval was obtained from upper management, and the policy now serves as the authoritative reference for the program.

Remediation Cadence (CVSS-Based) — v1.2 (Final)

SeverityCVSS RangeWindow
Critical RCE Zero-Day9.0–1048 hours
Critical9.0–107 days
High7.0–8.92 weeks
Medium4.0–6.930 days
Low0.1–3.990 days

Sign-off: CISO Mike Smith · CIO Jane Doe · CEO Bob Roberts — August 20, 2025

Step 4 — Scan Permission Meeting

Before initiating scans, a meeting with the server team was held to coordinate credentialed scan access. A just-in-time Active Directory credential approach was agreed upon to minimize risk.

// Mock Meeting — Initial Scan Permission
Security Analyst
Now that our vulnerability management policy is in place, I'd like to begin scheduling credentialed scans of your environment.
IT Manager
What's involved? I'm concerned about resource utilization, and granting admin credentials to every machine doesn't sound safe.
Security Analyst
Valid concerns. The scan engine sends controlled traffic to identify vulnerabilities — checking registry entries, outdated software, and insecure protocols. To be cautious, let's start with a single server and monitor resource usage.
IT Manager
For credentials, could we use Active Directory accounts that remain disabled until scans run, then deprovisioned afterward?
Security Analyst
Exactly — just-in-time access. That approach works well.

Step 5 — Initial Scan

An insecure Windows Server was provisioned in Azure to simulate the server team's environment. Vulnerabilities were intentionally introduced, then an authenticated Tenable scan was performed and results exported for the remediation phase.

Azure environment setup for vulnerability scanning
Initial Tenable scan results — 32 vulnerabilities

Step 6 — Assessment & Prioritization

Vulnerabilities were assessed and a remediation priority order was established based on ease of remediation and impact:

  1. Third-party software removal (Wireshark)
  2. Windows OS secure configuration — Protocols & Ciphers
  3. Windows OS secure configuration — Guest Account Group Membership
  4. Windows OS Updates

Step 7 — Distributing Remediations

The server team received remediation scripts and scan reports to address key vulnerabilities. This streamlined their efforts and prepared them for a follow-up validation scan.

Step 8 — Post-Scan Review Meeting

// Mock Meeting — Post-Discovery Scan Review
Security Analyst
Before we review findings, did the scan cause any outages or resource issues?
IT Manager
No issues. Monitoring showed normal activity — aside from open connections, we wouldn't have known a scan was running.
Security Analyst
Most findings are due to outdated software, including Wireshark. The local guest account is part of the Administrators group, which shouldn't be the case. Deprecated cipher suites (TLS 1.0/1.1) should also be remediated.
IT Manager
Understood. Most servers share the same vulnerabilities so remediation should be consistent. We'll run changes through the next Change Control Board.

Step 9 — CAB Approval

// Mock CAB Meeting — Change Advisory Board
Project Lead
Two remediation items for the server team: removal of insecure protocols and cipher suites. Risk Analyst, walk us through the technical approach.
Risk Analyst
Insecure protocols and cipher suites allow systems to negotiate deprecated algorithms, which creates risk. We developed a PowerShell script that disables insecure options and enables only secure, modern standards via the Windows registry.
Project Lead
Do we have a rollback plan?
Risk Analyst
Yes. We're using a tiered deployment — pilot, pre-production, then full production. Each remediation includes an automated rollback script that restores original registry settings if issues arise.

Step 10 — Remediation Effort

Round 1 — Wireshark Removal

PowerShell
# Uninstalls Wireshark from the system.
# Author: Josh Madakor | Version: 1.0
# Run as Administrator.

$wiresharkDisplayName = "Wireshark 2.2.1 (64-bit)"
$uninstallerPath = "$env:ProgramFiles\Wireshark\uninstall.exe"
$silentUninstallSwitch = "/S"

function Is-WiresharkInstalled {
    return Test-Path -Path $uninstallerPath
}

function Uninstall-Wireshark {
    if (Is-WiresharkInstalled) {
        Write-Output "Uninstalling Wireshark..."
        & $uninstallerPath $silentUninstallSwitch
        Write-Output "$($wiresharkDisplayName) has been uninstalled."
    } else {
        Write-Output "$($wiresharkDisplayName) is not installed."
    }
}

Uninstall-Wireshark
Result

Follow-up scan confirmed successful Wireshark removal. Critical vulnerabilities dropped to zero.

Scan 2 results after Wireshark removal

Round 2 — Insecure Protocols & Ciphers

PowerShell
# Toggles cipher suites (secure vs insecure) on the system.
# Author: Josh Madakor | Version: 1.0
# Set $secureEnvironment = $true to harden the system.

$secureEnvironment = $true

$secureCipherSuites = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256," +
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
    "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"

if (-not (Test-Path $regPath)) {
    New-Item -Path $regPath -Force
}

if ($secureEnvironment) {
    $selectedCipherSuites = $secureCipherSuites
    Write-Output "Configuring a secure environment..."
} else {
    Write-Output "Configuring an insecure environment..."
}

Set-ItemProperty -Path $regPath -Name "Functions" -Value $selectedCipherSuites
Set-ItemProperty -Path $regPath -Name "Enabled" -Value 1

Write-Output "Cipher suites updated. Please restart the server for changes to take effect."
Result

Follow-up scan confirmed TLS 1.0/1.1 and insecure cipher suites removed. High vulnerabilities dropped by 90%.

Remediation script execution output
Scan 3 results after cipher suite remediation

Round 3 — Guest Account Group Membership

PowerShell
# Toggles guest account Administrators group membership.
# Author: Josh Madakor | Version: 1.0
# Set $AddGuestToAdminGroup = $False to secure the system.

$AddGuestToAdminGroup = $False
$LocalAdminGroup = "Administrators"
$GuestAccount = "Guest"

function Add-GuestToAdminGroup {
    if (-not (Get-LocalGroupMember -Group $LocalAdminGroup -Member $GuestAccount -ErrorAction SilentlyContinue)) {
        Add-LocalGroupMember -Group $LocalAdminGroup -Member $GuestAccount
        Write-Output "Guest account has been added to the Administrators group."
    } else {
        Write-Output "Guest account is already a member of the Administrators group."
    }
}

function Remove-GuestFromAdminGroup {
    if (Get-LocalGroupMember -Group $LocalAdminGroup -Member $GuestAccount -ErrorAction SilentlyContinue) {
        Remove-LocalGroupMember -Group $LocalAdminGroup -Member $GuestAccount
        Write-Output "Guest account has been removed from the Administrators group."
    } else {
        Write-Output "Guest account is not a member of the Administrators group."
    }
}

if ($AddGuestToAdminGroup -eq $True) {
    Add-GuestToAdminGroup
} else {
    Remove-GuestFromAdminGroup
}
Result

Guest account successfully removed from the Administrators group. Confirmed via follow-up scan.

Scan 4 results after guest account remediation

Round 4 — Windows OS Updates

Windows Update was re-enabled and all available patches were applied until the system reached a fully up-to-date state.

Summary

Final scan overview showing vulnerability reduction

The remediation process reduced total vulnerabilities by 72%, from 32 to 9 (excluding informational findings).

  • Critical vulnerabilities: 100% resolved by the second scan
  • High vulnerabilities: 90% reduction
  • Medium vulnerabilities: 68% reduction

In a real production environment, asset criticality would further guide prioritization of remaining remediation efforts.

Maintenance Mode

After completing the initial remediation cycle, the vulnerability management program transitions into Maintenance Mode — ensuring vulnerabilities continue to be managed proactively over time.

Key Maintenance Activities

  • Scheduled Vulnerability Scans: Regular scans (weekly or monthly) to detect new vulnerabilities as systems evolve
  • Patch Management: Continuously apply security patches, ensuring no critical vulnerabilities remain unpatched
  • Remediation Follow-ups: Address newly identified vulnerabilities promptly, prioritizing by risk and impact
  • Policy Review: Periodically review the Vulnerability Management Policy to ensure alignment with current security best practices
  • Audit & Compliance: Conduct internal audits to ensure compliance with the policy and external regulations
  • Stakeholder Communication: Maintain open communication with remediation teams for efficient coordination
Conclusion

By maintaining an active vulnerability management process, organizations can stay ahead of emerging threats and ensure long-term security resilience.

Phishing Analyzer All Projects